2 routers on network?

[xXaNaXx]

is there any way to have a second router connected behind a primary router, and still have computers on both sides of the second router communicate with each other?

the network is set up like this:

he wants to have his own router so that he can have his own access to port forwarding & other functions, while still being behind a firewall, so i set his router up on my router's DMZ, but the only way we can get his computer to access the internet when set up like this is if my router's LAN side subnet and his router's LAN side subnet are different (i.e., my network runs on 192.168.0.x and his is 192.168.1.x), but when it is set up this way, we cannot communicate with each other's computers. is there an easy way to accomplish this?

 

[smokey]

You would need to edit the routing tables for each router, adding a route from one subnet to the other (through the proper router) to each router. This generally is not possible with SOHO routers...

 

[puck]

Whats the point in doing this?

It look's like you could just use one router and port forwarding.

 

[hypno-toad]

Whats the point in doing this?

It look's like you could just use one router and port forwarding.

Exactly.

You still only have 1 public IP, so you can only forward a port to one PC on the inside anyway.

 

[millhouse]

Yeah, what you are trying to do wont work unless you are using something other than your traditional SOHO (Linksys. Netgear) routers.

 

[Ruffy]

Yeah, what you are trying to do wont work unless you are using something other than your traditional SOHO (Linksys. Netgear) routers.

actually it will work
either set up your brothers router to use dhcp or give it a static route and point it to your main router

Bro's PC (Router 1) You 1, You 2, (Router 2) Internet

Router1's external IP will be on the same lan as you, disable most of its security features and foward proper ports for file sharing and so on.


Terrible network. But is doable with linksys routers.
Better off building a smoothwall or other nix based hardware solution. Adding 3 nics in it and setting up two networks. that is if you really need two networks.

 

[smokey]

With regard to all the ringing "Why?"s, it is entirely reasonable for his brother to want his own network. It is especially so, being that he already _has_ the hardware. This is just Intro to ISP 101.

The previous poster could be entirely correct in asserting that it could be done with Linksys routers, I tend to play with much bigger iron than that, so I could be wrong. However, I will also support the better option of using a more robust routing solution for yourself, OP. Leave your brother to pull an IP to his SOHO and get yourself something that will allow you the flexibility that you are needing - his standards should not be yours, in this case.

 

[xXaNaXx]

i tried setting up a static route on his router that pointed to my computer (and vice versa), but we were still unable to see each other on the network (although, he does have internet access), whereas we were able to see each other's comps before he introduced his router and we were on the same subnet.


here's what i've done so far, without success.....
--------------------------------------------------------------------------
my main comp's settings:

IP: 192.168.0.2
Mask: 255.255.0.0
Gateway: 192.168.0.1

my router's LAN settings:

IP: 192.168.0.1
Mask: 255.255.0.0

my bro's comp:

IP: 192.168.1.201
Mask: 255.255.0.0
Gateway: 192.168.1.200

my bro's router WAN settings:

IP: 192.168.0.99
Mask: 255.255.0.0
Gateway: 192.168.0.1

my bro's router LAN settings:

IP: 192.168.1.200
Mask: 255.255.0.0
--------------------------------------------------------------------------
i tried setting up a static route on his router with:

Destination IP: 192.168.0.2 (my comp's IP)
Mask: 255.255.0.0
Gateway: 192.168.1.200 (his router's LAN IP)
Metric: 2

and a static route on my router with:

Destination IP: 192.168.1.201 (his computer's IP)
Mask: 255.255.0.0
Gateway: 192.168.0.1 (my router's LAN IP)
Metric: 2
--------------------------------------------------------------------------
but it still would not work for some reason....please tell me if i'm doing something wrong here.....and yes, i know it would be much easier to just take his router out of the loop altogether, but as was said, he already has it and wants to use it, so i'd like to figure this out (plus, i like figuring stuff like this out, it's just that much more experience for the future....)

edit: btw, DHCP is turned off on both routers.....

 

[xXaNaXx]

Exactly.

You still only have 1 public IP, so you can only forward a port to one PC on the inside anyway.

if his router is on the DMZ, then any port that my router is not forwarding to my network should technically be able to be forwarded to his network by setting up the forwarding on his router.....unless i am mistaken?

we're not trying to forward the same port to multiple IP's, i'm well aware that won't work.

 

[smokey]

The gateway entry should be the next hop interface toward the destination... e.g.:

ROUTER(EXT. IP) -> Internet
ROUTER (192.168.0.1/24) -> PC1 (192.168.0.100/24) = First subnet
ROUTER(192.168.1.1/24) -> PC2 (192.168.1.100/24) = Second subnet

Now, ROUTER would be dual-homed in both the 192.168.0 and 192.168.1 subnets. It would also be homed in whatever address space the external interface is in. Both PC1 and PC2 will have a gateway address corresponding to ROUTER, but PC1 will have 192.168.0.1 and PC2 will have 192.168.1.1.

In your example, you would set the static route for each subnet on each router. Your router will have a route to _his_ router for the address space, and his router will have a route to _your_ router for the other address space. Don't set the route to the individual machines, set it for the whole address space.

 

[xXaNaXx]

...In your example, you would set the static route for each subnet on each router. Your router will have a route to _his_ router for the address space, and his router will have a route to _your_ router for the other address space. Don't set the route to the individual machines, set it for the whole address space.

my Netgear router says that when setting up static routes, to set the Destination IP to the final destination, as shown below:

does "final destination" not mean his computer's IP address? or should the destination IP be his router's LAN or WAN IP?

 

[smokey]

Ok, I see how this is working... His router should be connected (via the WAN port) to your router (via a LAN port). Then set the gateway on your router's static route to his WAN IP and the gateway on his router's static route to your LAN IP.

 

[xXaNaXx]

ok, we've been racking our brains on this, and we've tried what seems like everything that there is to try, to no avail. below is the exact setup of the network as it currently stands right now, so disregard any of the previous settings:

the screenshots of the static routes that i believe should be correct are below....route name texas is the static route from his router to my network, and route name speedy is the static route from my router to his network:

we have checked the "private" check-box, as this will be for private use only (not routed over the internet), and set up the destination IP addresses to 192.168.x.0, which should (if i'm correct, and have followed what i've found on google searches correctly) allow any computer on my network to reach any computer on his network, and vice versa (since specifying a "0" at the end tells it that it could be any IP between 1 - 255). We are using a subnet mask of 255.255.255.0 everywhere. it is still not working, and it's really starting to irritate me.....

is this not all correct, and if not, can someone please tell me the right static route settings that i should be using?

 

[smokey]

That looks right to me... .

 

[xXaNaXx]

anyone else have any ideas (besides removing the second router....please be helpful)?

 

[smokey]

Try pinging these:

Speedy -> 192.168.0.1
Texas -> 192.168.0.99
Washington -> 192.168.0.99
Speedy -> 192.168.0.2
Speedy -> 192.168.0.3
Texas -> 192.168.1.201

If you can't hit any one of these, try pinging the broadcast addressess for each subnet from Texas and Speedy:
Speedy -> 192.168.0.255/192.168.1.255
Texas -> 192.168.0.255/192.168.1.255

Let's see what works and who can talk to who.

 

[DougLite]

You will need a routing table. With SOHO/Consumer 'routers,' the routing is really simple. The target host is either
A) only a broadcast away on the one local subnet you have or
B) on the Internet and accessed through the default gateway.

So, when you attempt to reach a host on the other subnet, it will do one of two things: broadcast and get no response, or send the request to the router, which DHCP will set as the default gateway. However, the router has no idea what \\ComputerName is, so it just drops the packets.

In order to find computers by name on a different subnet, you will have to set up a WINS and/or DNS server on the network, and supply the address of that server in the DHCP leases or statically. Sorry, but you're not going to get the broadcasts to go over the routers - they are programmed to drop broadcasts, so you won't be able to Start\Run\"\\ComputerName" to bring up a computer on a different subnet.

You can also create static routes between the subnets *and* raise the metric on the default gateway route so that it will try the other subnet before trying the default gateway. This will allow you to find computers by IP address on the other subnets, and you can create a lmhosts file with the NetBIOS names of all of your computers to enable you to find comps by name. However, if you do this, you must either know the IP address of the box you're trying to access, or have an lmhosts file with the names and IP addresses of each box on each computer.

From a flexibility standpoint, you'd be best off with a server box with three network cards (cable modem, and one for each subnet) and create the static routes on it, make it a DHCP server and WINS/DNS server. However, Windows Server Licenses are very expensive. Install NAT on the server box, map your incoming ports to various clients. This is exactly what I have, and it works marvelously well. All name resolutions occur basically instantly, and I also have a huge cache of Internet DNS lookups to boot.

Also, why are you running two routers anyway? Whouldn't you be able to split the port forwarding between boxes if you don't use the DMZ port at all?

 

[xXaNaXx]

pings from "Texas":

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>ping 192.168.0.99

Pinging 192.168.0.99 with 32 bytes of data:

Reply from 192.168.0.99: bytes=32 time=5ms TTL=64
Reply from 192.168.0.99: bytes=32 time=1ms TTL=64
Reply from 192.168.0.99: bytes=32 time=1ms TTL=64
Reply from 192.168.0.99: bytes=32 time=1ms TTL=64

Ping statistics for 192.168.0.99:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 5ms, Average = 2ms

C:\Documents and Settings\Administrator>ping 192.168.1.200

Pinging 192.168.1.200 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.200:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\Administrator>ping 192.168.1.201

Pinging 192.168.1.201 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.201:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\Administrator>ping 192.168.1.255

Pinging 192.168.1.255 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.255:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

pings from "Speedy":

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
 
C:\Documents and Settings\Administrator>ping 192.168.0.1
 
Pinging 192.168.0.1 with 32 bytes of data:
 
Reply from 192.168.0.1: bytes=32 time=1ms TTL=250
Reply from 192.168.0.1: bytes=32 time=1ms TTL=250
Reply from 192.168.0.1: bytes=32 time=1ms TTL=250
Reply from 192.168.0.1: bytes=32 time=1ms TTL=250
 
Ping statistics for 192.168.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms
 
C:\Documents and Settings\Administrator>ping 192.168.0.2
 
Pinging 192.168.0.2 with 32 bytes of data:
 
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
Ping statistics for 192.168.0.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 
C:\Documents and Settings\Administrator>

 

[xXaNaXx]

...You can also create static routes between the subnets *and* raise the metric on the default gateway route so that it will try the other subnet before trying the default gateway. This will allow you to find computers by IP address on the other subnets, and you can create a lmhosts file with the NetBIOS names of all of your computers to enable you to find comps by name. However, if you do this, you must either know the IP address of the box you're trying to access, or have an lmhosts file with the names and IP addresses of each box on each computer.

ok, so how would i go about setting up an lmhosts file? i've not had any experience with this yet

 

[smokey]

Ok, I see a couple of problems.

1) Your brother's router is NATing, instead of purely bridging the two subnets.

2) Your router is not bridging the two subnets at all, but at least you can ping the LAN side through your bro's router.

These will need to be solved in this order. After your brother's router decides it wants to route between the .0.x and .1.x subnets, you should check number 2; it might fix itself. As for how to fix this... on Cisco or iptables/ipfw/pf I could show you, but I have no idea on your equipment.

 

[xXaNaXx]

Ok, I see a couple of problems.

1) Your brother's router is NATing, instead of purely bridging the two subnets.

2) Your router is not bridging the two subnets at all, but at least you can ping the LAN side through your bro's router.

These will need to be solved in this order. After your brother's router decides it wants to route between the .0.x and .1.x subnets, you should check number 2; it might fix itself. As for how to fix this... on Cisco or iptables/ipfw/pf I could show you, but I have no idea on your equipment.

he wants it to NAT instead of just bridging....he wants his own secure network from a public standpoint (since i have set up his router on the DMZ to allow him to forward his own ports in his router), but also freely accessible from the computers on my own network

 

[xXaNaXx]

ok, i think i may have figured out another solution so as not to have to use WINS/DNS or lmhosts. let me know how you think this would work....it obviously involves installing an extra NIC in each computer, and another run of cat5, but that's not a problem (my brother does cable installation for a living), and we already have two extra switches & extra NIC's:

 

[jpmkm]

What is the point of having two switches? The second switch adds nothing. As far as the original problem goes, the 192.168.x.x block is not publicly routable. Could the second router be preventing your computers from seeing the computers that are hooked up to it? Think of a single router situation where you have a router hooked up to an internet connection and you have a few computers hooked up that all get 192.168.x.x addresses. You can't ping those 192.168.x.x addresses from the wan side of the router. Wouldn't the same thing apply when you hook up a router to an internal network? The router won't allow external nodes to access those internal addresses. I would actually be surprised if this did work because that would mean that the routers didn't exactly follow standard networking conventions.

I understand what you are trying to accomplish, but I feel that using a couple soho routers is just about the worst way to accomplish it. They just weren't designed for advanced configurations like this.

 

[xXaNaXx]

What is the point of having two switches? The second switch adds nothing.

sure it does....it's there in case he ever decides to add another computer (or computers), or if he is working on someone else's computer and ends up needing access to one of my comps.

As far as the original problem goes, the 192.168.x.x block is not publicly routable. Could the second router be preventing your computers from seeing the computers that are hooked up to it?

that's why we were trying to use the static routes to get around this, but this obviously will not work without the WINS/DNS servers, or the lmhosts files that DougLite mentioned.

Think of a single router situation where you have a router hooked up to an internet connection and you have a few computers hooked up that all get 192.168.x.x addresses. You can't ping those 192.168.x.x addresses from the wan side of the router. Wouldn't the same thing apply when you hook up a router to an internal network? The router won't allow external nodes to access those internal addresses. I would actually be surprised if this did work because that would mean that the routers didn't exactly follow standard networking conventions.

that's why i set up his router on the DMZ, so that if he has a server set up on his computer, and he forwards (for example) port 8080 to it using 192.168.1.201, as long as i also don't have port 8080 forwarded to one of my comps, it should be transparent and route it to his computer instead when someone from the outside tries to connect on the public IP address on the specified port (in the example, port 8080).

I understand what you are trying to accomplish, but I feel that using a couple soho routers is just about the worst way to accomplish it. They just weren't designed for advanced configurations like this.

again, we're using what we already have available to us. i know there are better ways to do it, but not without having to purchase extra equipment.....if you know of another way to do it without buying more equipment, i'm all ears.

i even told him myself that it would be much, much easier to just keep all our computers on the same subnet and i would just give him access to my router to do any port forwarding (which would actually help us keep better track of what ports were already used and which ones are still available), but he really wants to use his own router, so we're trying to figure out a way to make it happen.

 

[jpmkm]

that's why i set up his router on the DMZ, so that if he has a server set up on his computer, and he forwards (for example) port 8080 to it using 192.168.1.201, as long as i also don't have port 8080 forwarded to one of my comps, it should be transparent and route it to his computer instead when someone from the outside tries to connect on the public IP address on the specified port (in the example, port 8080).

I think you might have missed the point I was trying to make. I was just providing an example to show that you cannot access internal machines from the wan side of the router. The DMZ means nothing in this case. It doesn't have any effect whatsoever on your computers being able to see his computers. The DMZ is set up on your router so that the outside world can go straight to your brother's router, but that has no effect on the internal side of your router. If I understand correctly, port forwarding wasn't ever an issue. The main issue was your and his computers being able to talk to each other. What I am saying is that you cannot access individual computers that are hooked up to his router due to the NAT that the router performs and the fact that you are using non-publicly routable address space. I don't think any amount of static routing is really going to help in this case. A static router is just going to get you to his router; it isn't going to get you through his router. I know you are trying to use equipment you already have, but what I'm saying is that it just isn't the right equipment to be using. I have a pile of modems in the garage and I could conceivably somehow wire up a network with them, but that doesn't mean it is a good idea or that it will even work. I have the equipment, but it's not the right equipment for what I want to do.

 

[xXaNaXx]

I think you might have missed the point I was trying to make. I was just providing an example to show that you cannot access internal machines from the wan side of the router. The DMZ means nothing in this case. It doesn't have any effect whatsoever on your computers being able to see his computers. The DMZ is set up on your router so that the outside world can go straight to your brother's router, but that has no effect on the internal side of your router. If I understand correctly, port forwarding wasn't ever an issue. The main issue was your and his computers being able to talk to each other. What I am saying is that you cannot access individual computers that are hooked up to his router due to the NAT that the router performs and the fact that you are using non-publicly routable address space. I don't think any amount of static routing is really going to help in this case. A static router is just going to get you to his router; it isn't going to get you through his router. I know you are trying to use equipment you already have, but what I'm saying is that it just isn't the right equipment to be using. I have a pile of modems in the garage and I could conceivably somehow wire up a network with them, but that doesn't mean it is a good idea or that it will even work. I have the equipment, but it's not the right equipment for what I want to do.

no, i didn't miss the point at all.....

you asked, and i quote: "As far as the original problem goes, the 192.168.x.x block is not publicly routable.", then after your example you said: "You can't ping those 192.168.x.x addresses from the wan side of the router. Wouldn't the same thing apply when you hook up a router to an internal network?".

i admitted that after hearing the options that DougLite presented (WINS/DNS and/or lmhosts files) that networking the 3 computers on 2 different networks is not just as easy as setting up the static routes that i was trying to do to get around that problem. i mistakenly assumed that since the two networks were never "publicly routed" as you mentioned, that it would not be an issue, as long as the static routing was set up correctly to translate between the two networks.

by the time you made your post, i think we were already on different pages. i was not trying to enable file sharing between our 3 computers by going through the routers anymore, i was seeing what anyone thought about just setting up a third private network for the file sharing, while we each have our own private network for apps that are accessed from the internet.

for instance, i could have an FTP server running on my computer (192.168.0.3) and have traffic to it routed via port forwarding (set up in my router) on port 8181. then he could also have his own FTP server on his computer (192.168.1.201) that has traffic routed to it (set up in his router, which is on the DMZ of my router) on port 8080. then for simple file sharing between either one of my computers and his computer, we could have a third network on the 192.168.3.x range (facilitated by a second NIC in each computer) with a direct switched connection, i.e., no routing involved.

throughout this whole thing, i have told him that it will be much easier to just use my router for all the port forwarding and be done with it, but curiosity also got the best of me, as i love learning new ways to do things. although it may not be (ok, it's definitely not) the best or easiest way to do things, it is still beneficial to know how to do it if there is ever a good reason for doing it a different way, would you not agree?

after all, knowledge is power....

 

[smokey]

Your suggestion is called a 'back channel', and it could work just fine. You will probably find, though, that you are working with the routing tables on the individual workstations more than the routers, with this type of configuration. Whether that is ok with you or not... that's your call. It _is_ one more option though...

 

[Shadowspawn]

While playing with my network at home in order to earn my CCNA I discovered that Linksys routers are quite capable of doing this. In order to make it work, you have to turn on RIP as the routing protocol. By doing so I was able to get my little dumb SOHO Linksys router to act at the gateway for the big bad Cisco's I had setup on my home network.

The option for RIP was hidden behind an advanced options button. Do you have any such options on that Netgear?

Without a routing protocol, this isn't going to work.

 

[xXaNaXx]

While playing with my network at home in order to earn my CCNA I discovered that Linksys routers are quite capable of doing this. In order to make it work, you have to turn on RIP as the routing protocol. By doing so I was able to get my little dumb SOHO Linksys router to act at the gateway for the big bad Cisco's I had setup on my home network.

The option for RIP was hidden behind an advanced options button. Do you have any such options on that Netgear?

Without a routing protocol, this isn't going to work.

yeah, we set up both routers to use RIP-1 (bidirectional), both with & without the static routes set up, and it still wasn't working.